CIPP Cheat Sheet 2026
The 30 highest-yield CIPP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
150 min time limit
68.00% to pass
- Under the Gramm-Leach-Bliley Act (GLBA), what must financial institutions provide to customers at the time of establishing a customer relationship? → An initial privacy notice
- Which federal agency has primary enforcement authority over national banks under GLBA's privacy provisions? → Office of the Comptroller of the Currency (OCC)
- The Fair and Accurate Credit Transactions Act (FACTA) most significantly amended FCRA by establishing: → The right to one free credit report per year from each major consumer reporting agency
- What right allows California consumers to correct inaccurate personal information held by a business? → Right to Correct (added by CPRA)
- Which type of entity is directly covered by HIPAA's Privacy Rule? → Covered entities (health plans, providers, clearinghouses)
- Under US law, what is the primary federal statute governing spam texts sent to mobile phones? → Telephone Consumer Protection Act (TCPA)
- Which privacy concern arises when employers use social media screening of job applicants? → Exposure to legally protected characteristics not visible during the interview process
- Which HIPAA right allows a patient to request that a covered entity not disclose their PHI to their health plan for services paid out-of-pocket? → Right to request restrictions on disclosures to health plans
- Which of the following constitutes a 'permissible purpose' for obtaining a consumer report under FCRA? → A credit transaction initiated by the consumer
- Which type of information was added to many states' breach notification laws following high-profile biometric data breaches? → Biometric data (fingerprints, facial recognition)
- Which of the following is NOT a permitted use or disclosure of PHI under the HIPAA Privacy Rule without patient authorization? → Marketing campaigns selling health products
- Under GLBA, which entities qualify as 'financial institutions' subject to its privacy provisions? → Businesses significantly engaged in financial activities
- The FCRA 'Furnisher Rule' primarily requires entities that report information to consumer reporting agencies to: → Maintain reasonable policies to ensure accuracy and integrity of reported information
- Under FERPA, when does a student's (not parent's) right to control education records begin? → When the student turns 18 or attends a postsecondary institution
- Which GLBA exception permits financial institutions to share NPI with unaffiliated third parties without offering consumers an opt-out right? → Joint marketing agreement exception
- Under the 2023 FTC Safeguards Rule amendment, non-banking financial institutions must notify the FTC of breaches affecting how many customers? → 500 or more customers
- What is the primary purpose of a 'risk of harm' threshold in breach notification laws? → To require notification only when there is meaningful risk of harm to individuals
- What is the HIPAA Privacy Rule's general rule on the use of PHI for marketing? → PHI cannot be used for marketing without written patient authorization
- Which type of employee data is most commonly regulated by state biometric privacy laws like Illinois BIPA? → Fingerprint scans used for timekeeping or access control
- Which US law regulates the privacy of electronic communications made by pen register or trap-and-trace devices? → Pen Register Act (Title III of ECPA)
- The GLBA opt-out right allows consumers to prevent a financial institution from sharing their NPI with which type of party? → Unaffiliated third parties not covered by a statutory exception
- Under FTC authority, breach notification for certain health apps is governed by what rule? → Health Breach Notification Rule
- Which entity established by the CPRA is responsible for enforcing California privacy law and issuing regulations? → California Privacy Protection Agency (CPPA)
- Which of the following is excluded from the definition of 'nonpublic personal information' (NPI) under GLBA? → Publicly available information from government records
- Which of the following is NOT a permissible purpose for obtaining a consumer report under FCRA? → Satisfying personal curiosity about a neighbor
- FACTA's 'Red Flags Rule' requires covered entities to: → Develop and implement written programs to detect and respond to identity theft red flags
- When a consumer reports identity theft under FACTA, what right does the consumer have regarding their credit report? → Place a fraud alert and block fraudulent information resulting from the identity theft
- Self-regulation principally entails a company's right to what, according to Section 5 of the FTC Act? → Determine which bodies will be involved in adjudication
- Under the ADA, what type of employee medical information must employers keep in confidential files separate from general personnel files? → All medical information obtained through employment-related examinations or inquiries
- What CPRA requirement applies to businesses that engage in 'profiling' consumers in ways that significantly affect them? → Right to opt out of automated decision-making and profiling
Turn these facts into recall: